CVE-2023-4617 CRITICAL

CVE-2023-4617: Gaining remote control over Govee devices

Vendor Govee

Product Govee Home

Weakness CWE-863 · Incorrect authorization

Published December 19, 2024

Last update December 20, 2024

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

What the vulnerability does

01Description

Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9.

Key dates

02Disclosure timeline

December 19, 2024 CVE published

December 20, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-4617

Related vulnerabilities

Identifiers

CVE CVE-2023-4617

CWE CWE-863

CVSS 10.0 / CRITICAL

Affected versions

Vendor Govee

Product Govee Home

Affected < 5.9

Vendor Govee

Product Govee Home

Affected < 5.9

CVE-2023-4617: Gaining remote control over Govee devices

01Description

02Disclosure timeline

03References

04Related CVE